System - Content Security Policy

Overview

It's been said that a good Content Security Policy is the most important security measure you can take to protect your clients after switching to SSL. This plugin aims to make that implementation as easy as possible.

Installation

This page will remain unlinked, as the link may change in the future. Visit http://www.richeyweb.com and use the search feature - search for "System - Content Security Policy".

In Joomla /administrator, go to the "Extensions" menu, the "Manage" sub-menu, and the "Install" sub-menu.

Select the "Upload Package File" tab

Press the "Choose File" button to browse your system and locate the plugin file you downloaded

Press the "Upload & Install" button

At this point, the extension is installed but not enabled. You can find the plugin by going to the Extensions menu and selecting "Plugins". When in the plugin manager, search for "Content Security Policy". Begin configuration with the AJAX plugin

Configuration

AJAX Plugin

AJAX plugin configuration is only required if you wish to receive reporting data from clients. If you're not interested in receiving this data - you can skip this step and move on to the System plugin configuration below.

The only required setting to use the report gathering features of this plugin is to authorize your referrer (your domain name) as a source of data. If you haven't canonicalized your name, you should put both the www and non-www versions into the configuration:

If you choose to implement the CLI CRON job, you will need to have at least one recipient.

The final option causes the CRON job to delete the matched items after it emails them.

CRON Job

Users who are able to create CRON jobs on their server can use this feature to send an email to selected recipients. The script is designed to send the reports from the previous day as a CSV file. There is no use running it more than once per day, as it only returns data from the previous day. You will need to create your CRON job to run in the Joomla "cli" directory - and simply run "php csp.php"

System Plugin

The configurations are extensive and complex. Each item label is a link to the documentation for that type of directive. Refer to the documentation if you are unsure about how CSP works.

I installed as in your video, Ajax and system, but when I look at the front end, nothing gets blocked. I can't put the external sites (like analytics, youtube, fonts etc.) in the system pluging in their repsective positions.